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The higher-dimensional modal /i-calculus is an extension of the /x-calculus in which formulas are 
interpreted in tuples of states of a labeled transition system. Every property that can be expressed 
in this logic can be checked in polynomial time, and conversely every polynomial-time decidable 
problem that has a bisimulation-invariant encoding into labeled transition systems can also be defined 
in the higher-dimensional modal /i -calculus. We exemplify the latter connection by giving several 
examples of decision problems which reduce to model checking of the higher-dimensional modal 
/X-calculus for some fixed formulas. This way generic model checking algorithms for the logic can 
then be used via partial evaluation in order to obtain algorithms for theses problems which may 
benefit from improvements that are well-established in the field of program verification, namely on- 
the-fly and symbolic techniques. The aim of this work is to extend such techniques to other fields as 
well, here exemplarily done for process equivalences, automata theory, parsing, string problems, and 
games. 

1 Introduction 

The Modal jU-Calculus lH is mostly known as a backbone for temporal logics used in program 
specification and verification. The most important decision problem in this domain is the model checking 
problem which is used to automatically prove correctness of programs. The model checking problem for 

is well-understood by now. There are several algorithms and implementations for it. It is known 
that model checking Jf^ is equivalent under linear-time translations to the problem of solving a parity 
game lEl for which there also is a multitude of algorithms available. From a purely theoretical point of 
view, there is still the intriguing question of the exact computational complexity of model checking : 
the best known upper bound for finite models is UPRcoUP [5|, which is not entirely matched by the 
P-hardness inherited from model checking modal logic. 

»Sf^ can express exactly the bisimulation-invariant properties of tree or graph models which are de- 
finable in Monadic Second-Order Logic f45, i.e. are regular. This means that for every such set L of trees 
or graphs there is a fixed formula (p^, s.t. a tree or graph G is a model of (p^, iff it belongs to L. Thus, 
any decision problem that has an encoding into regular and bisimulation-invariant sets of trees or graphs 
can in principle be solved using model checking technology. In detail, suppose there is a set M and a 
function / from the domain of M to graphs s.t. {/(jc) | x € M} is regular and closed under bisimilarity. 
By the result above there is an formula (^m which defines (the encoding of) M. Now any model 
checking algorithm for can be used in order to solve M. 

Note that in theory this is just a reduction from M to the model checking problem for Jf^ on a fixed 
formula. Obviously reductions from any problem A to some problem B can be used to transfer algorithms 
from B to A, and the algorithm obtained for A can in general be at most as good as the algorithm for B 
unless it can be optimised for the fragment of B resulting from embedding A into it. However, there are 
two aspects that are worth noting in this context. 

• A reduction to model checking for a fixed formula can lead to much more efficient algorithms. A 
model checking algorithm takes two inputs in general: a structure and a formula. If the formula is 
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fixed then partial evaluation can be used in order to optimise the general scheme, throw away data 
structures, etc. 

• Program verification is a very active research area which has developed many clever techniques 
for evaluating formulas in certain structures including on-the-fly |8| and symbolic methods lO, 
partial-order reductions, etc. 

We refer to [IJ for an example of this scheme of reductions to model checking for fixed formulas, there 
being done for problems that are at least PSPACE-hard. It also shows how this can be used to solve com- 
putation problems in this way. Since the data complexity (model checking with fixed formula) of is 
in P, using this scheme for is restricted to computationally simpler problems which can nevertheless 
benefit from developments in program verification. Furthermore, it is the presence of fixpoint operators 
in such a logic which makes it viable to this approach: fixpoint operators can be used to express induc- 
tive concepts — e.g. the derivation relation in a context-free grammar — and at the same time provide the 
foundation for algorithmic solutions via fixpoint iteration for instance. 

Here we consider an extension of the Higher-Dimensional Modal -Calculus and in- 
vestigate its usefulness regarding the possibility to obtain algorithmic solutions to various decision or 
computation problems which may benefit from techniques originally developed for program verification 
purposes only. It is known that captures the bisimulation-invariant fragment of P. We will sketch how 
the model checking problem can be reduced to model checking via a simple product construction 
on transition systems. Thus we can obtain — in principle — an algorithm for every problem that admits 
a polynomial-time solution and a bisimulation-invariant encoding into graphs. The reduction from 
to is compatible with on-the-fly or BDD-based model checking techniques, thus transferring such 
algorithms from first to and then on to such decision problems. 

2 The Higher-Dimensional Modal /i -Calculus 

Labeled Transition Systems. A labeled transition system (LTS) is a graph whose vertices and edges 
are labeled with sets of propositional variables and labels respectively. Formally, an LTS over a set 
Jl = {a,b, . . .} of edge labels and a set P = {p,q, . . .} of atomic propositions is a tuple 9Jt = {S,so,A,p) 
such that soG^, ACSxExS and p : 5— )-^(P). Elements of S aie called states, and we write s — ^ s' 
when {s,a,s') G A. The state 5'o € 5 is called the initial state of 93t. 

We will mainly consider finite transition systems, i.e. transition systems {S,so,A,p) such that 5 is a 
finite set. Infinite-state transition systems arising from program verification are also of interest, but their 
model checking techniques differ from the ones of finite LTS and cannot be handled by our approach 
(see more comments on that point in the conclusion). 

Syntax. We assume infinite sets Var = {x,y, ...} and Var2 = {X,Y, . . .}, of first-order and second-order 
variables respectively. For tuples of first-order variables x = (xi , . . . ,x„) and y = {yi,... , with all xi 
distinct, x^y, denotes the function k : Var— )• Var such that K{xi) = yi, and k{z) = z otherwise. It is called 
a variable replacement. 

The syntax of the higher-dimensional modal -calculus is reminiscent of that of the ordinary 
modal /X -calculus. However, modalities and propositions are relativized to a first-order variable, and it 
also features the replacement modality {k}. Formulas of are defined by the grammar 

<p,i/A := p{x)\X\^(p\(p/\\\r\{a)x(p\piX.(p\{x-i^y}(p 
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where x,y G Var, K : Var— )'Var is a variable replacement with finite domain, a El,, and X E Var2. We 
require that every second-order variable gets bound by a fixpoint quantifier at most once in a formula. 
Then for every formula (p there is a function Jp(p which maps each second-order variable X occurring 
in <p to its unique binding formula ^^(X) = [jlX.xi/. Finally, we allow occurrences of a second-order 
variable X only under the scope of an even number of negation symbols underneath ^^(X). 

A formula is of dimension n if it contains at most n distinct first-order variables; we write to 
denote the set of formulas of dimension n. Note that is equivalent to the standard modal /x-calulus: 
with a single first-order variable x, we have p(x) = p, {x-(r-x}\lf = xjf and {a)x^f = {a)\^ for any ^. 

As usual, we write <p V v^, [a]x(p, and vX.(p to denote -i(-'<p A ^'^), -^{a)x^(p, -^IJ.X.^(p' respectively 
where <p' is obtained from (p by replacing every occurrence of X with -iX. Other Boolean operators Uke 
^ and 4^ are defined as usual. 

Note that { k} is an operator in the syntax of the logic; it does not describe syntactic replacement of 
variables. Consider for instance the formula 

VX. /\p{x)^p{y) A /\[aUa)yX A {{x,y)^iy,x)}X. 

As we will later see, this formula characterizes bisimilar states x and y. In this formula, the operational 
meaning of {x,y^y,x}X can be thought as "swapping the players' pebbles" in the bisimulation game. 

We will sometimes require formulas to be in positive normal form. Such formulas are built from 
literals p{x), ^p{x) and second-order variables X using the operators A, V, {a)x, [a]x, fl, V, and {jc}. A 
formula is closed if all second-order variables are bound by some /i. 

With Sub{(p) we denote that set of all subformulas of (p. It also serves as a good measure for the 
size of a formula: |<p| := \Sub{(p)\. Another good measure of the complexity of the formula <p is its 
alternation depth adq,, i.e the maximal alternation of /i and V quantifiers along any path in the syntactic 
tree of its positive normal form. 



Semantics. A first-order valuation v over a LTS 9Jt is a mapping from first-order variables to states, 
and a second order valuation is a mapping from second order variables to sets of first-order valuations: 

Val = Var ^ S 
Vab = Var2 ^ ^(Val) 

We write v[x 5] to denote the first-order valuation that coincides with v, except that Xi E x is 
mapped to the corresponding Si E s. We use the same notation P] for second-order valuations. 

The semantics of a formula <p of for a LTS QJl and a second-order valuation Y is defined as a set of 
first-order valuations by induction on the formula: 
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We simply write {cpjm to denote the semantics of a closed formula. We write 9Jt, v N <p if v G l(p}<m< 
and on 1= <p if 9n,vo N <p, where vq is the constant function to sq. Two formulas are equivalent, written 
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(p = Y, if = Iwjwt for ^riy LTS As with the normal modal -calculus, it is a simple exercise 
to prove that every formula is equivalent to one in positive normal form. 

Proposition 1. For every (p G there is a Y in positive normal form such that (p = '^f and \ ^f \ <2-\(p\. 

Reduction to the Ordinary -Calculus. Here we consider as a formal language for defining 
decision problems. Algorithms for these problems can be obtained from model checking algorithms for 

on fixed formulas using partial evaluation. In order to lift all sorts of special techniques which have 
been developed for model checking in the area of program verification we show how to reduce the 
model checking problem to that of .5f^, i.e. the ordinary /i -calculus. 

Let us assume a fixed non-empty finite subset V of first-order variables. A formula <p of with 
/v(<p) C V can be seen as a formula (p of over the set of the atomic propositions P x V and the action 
labels r X V U (y — > y ). We write px instead of {p,x) for elements of P x V, and equally % for elements 
from E x V. Then (p\-^ cp can be defined as the homomorphism such that p{x) = px, {a)x(p = {ax) (p, and 
{x^y}(p = {x^y)^. 

We call an LTS higher-dimensional when it interprets the extended propositions px and modalities 
(ax) and (k) introduced by the formulas (p, and ground when it interprets the standard propositions and 
modalities. For a ground LTS 5Jt and a formula (p, we thus need to define the higher-dimensional LTS 
over which (p should be interpreted: we call it the V-clone of 9H, and write it clonev(S!Jt). Roughly 
speaking, clonev(9Jt) is the asynchronous product of \V\ copies of DJt. More formally, assume Wl = 
(5,50, A, p); then clonev(9Jt) = {S' ,Sq,A' ,p') is defined as follows. 

• The states are valuations of the variables in V by states in S, e.g S' = V ^ S, and s^ is the constant 
function Ax € V.sq. 

• The atomic proposition px is true in those new states, which assign x to an original state that 
satisfies p, e.g. p'(v) = {px : p G p(v(x))}. 

• The transitions contain labels of two kinds. First, there is an ax-edge between two valuations v and 
v', if there is an a-edge between v(x) and v'{x) in the original LTS Wl: 

V V iff 3f .v(x) t and v' = v[x H- 1] . 

For the other kind of transitions we need to declare the effect of applying a replacement to a valu- 
ation. Let V : V^S be a valuation of the first-order variables in V , and K : V^V be a replacement 
operator. Let 'k:(v) be the valuation such that 'k{v){x) = v{k{x)). Then we add the following 
transitions to A'. 

v^v' iff v' = *k{v) 

Note that the relation with label K is functional for any such K, i.e. every state in clonev(9Jl) has 
exactly one jc-successor. Hence, we have {k)y= over cloned LTS. 

Theorem 2. Let V be a finite set of first-order variables, let W= {S,so,A,p) be a ground LTS, and let 
(pbe a formula such thatfv{(p) C V . Then 

iff clonei/(fOT) ^ ^. 

The proof goes by straightforward induction on (p and is therefore ommitted - see also the chapter 
on descriptive complexity in |3| for similar results. The importance of Thm.[2]is based on the fact that it 
transfers many model checking algorithms for the modal -calculus to for example on-the-fly model 
checking HI, symbolic model checking IS with BDDs or via SAT, strategy improvement schemes 111, 
etc. 
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3 Various Problems as Model Checking Problems 

The model checking algorithms we mentioned can be exploited to solve any polynomial-time problem 
that can be encoded as a model checking problem in By means of examples, we now intend to show 
that these problems are quite numerous. 

Process Equivalences. The first examples are process equivalences encountered in process algebras. 
We only consider here strong simulation equivalence and bisimilarity, and let the interested reader think 
about how to encode other process equivalences, like weak bisimilarity for instance. 

Let us first recall some standard definitions. Let 9Jt = (5,^0, A,p) be a fixed LTS. A simulation is a 
binary relation RQS x S such that for all {si ,S2) in R, 

• for all p £ P: p e p{si) iff p € p{s2); 

• for all <3 G £ and s\ G S, if s\ — % s[ , then there is £ S such that si — % ^2 ^^'^ i^'i ' ■^i) ^ ^• 

Two states s,s' are simulation equivalent, s ^ s', if there are simulations /?,/?' such that {s,s') G R and 
{s',s) € R'. A simulation /? is a bisimulation if R = R^; we say that s,s' are bisimilar, s ~ s', if there 
is a bisimulation that contains {s,s'). We say that two valuations are bisimilar, v ~ v', if for all x G Var, 

v{x) ~ v'{x). 

Proposition 3. /[7|/ is closed under bisimulation: ifv€ [(pi and v ~ v', then v' G 

Let us now explain how these process equivalences can be decided by the model checking algorithms: 
the following formula captures valuations v such that v(x) ~ v(3') 

VX. /\p{x)^p{y) A /\[aUa)yX A {{x,y)^{y,x)}X 
peP ciei. 

whereas the following formula captures valuations v such that v(x) v{y) 

VX{VY. /\p{x)<^p{y) A /\[aUa)yY) ^ {{x,y)^{y,x)}X. 
peP ael. 

Automata Theory. A second application of is in the field of automata theory. To illustrate this 
aspect, we pick some language inclusion problems that can be solved in polynomial-time. 

A non-deterministic Biichi automaton can be viewed as a finite LTS A = {S,sa,di,p) where p in- 
terprets a predicate final. Remember that a run on an infinite word w G in A is accepting if it visits 
infinitely often a final state. The set of words L{A) C that have an accepting run is called the language 
accepted by A. 

The language inclusion problem L{A) C L{B) is PSPACE-hard for arbitrary Biichi automata and 
therefore unlikely to be definable in In the restricted case of B being deterministic, it becomes 

solvable in polynomial time. Remember that a Biichi automaton is called deterministic if for all a G T, 
for all s, si,S2 G S, if s — ^ and s — ^ S2, then = ^2. 

Let us now encode the language inclusion problem L{A) C L(B) as a model checking problem. 
To shorten a bit the formula, we assume that B is moreover complete, i.e. for all s ^S, for all a G S, there 
is at least one s' such that s — ^ s' . Let us introduce the modality (synch) (p = \/^^^{a)x{a)y(p. Consider 
the formula 



(Pinci - {synch)*vZi.( i\na\(x) A^f\na\{y) AIJ.Z2. (synch) (Zi V (-.final(3;) AZ2) 
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Let 93Ta,b be the LTS obtained as the disjoint union of A and B with initial states sa of A and sg of B 
respectively. Then L{A) is included in L{B) if and only if OJTa.b, v (pi„ci where v(x) = sa and v(j) = sb- 
Indeed, this formula is satisfied if there is a run of A and a run rg of S reading the same word w G 
such that va visits a final state of A infinitely often, whereas rg eventually stops visiting the final states of 
B. Since B is deterministic, no other run r'g could read w, thus w G L{A)\L{B). 

The same ideas can be applied to parity automata. A parity automaton is a finite automaton where 
states are assigned priorities; it can be seen as an LTS {S,so,A,p) where p interprets priority predicates 
prty^^ in such a way that p{s) is a singleton {prty^^} for all s eS. A word w G is accepted by a parity 
automaton if there is a run of w such that the largest priority visited infinitely often is even. Consider the 
formulas prty<^(x) = prty()(x) V ... V prty„,(x) and 

%,m = {synch)* VZ. {synch' )+ (prty„(x) A {synch' )^{prty^{y) AZ)) 

where {synch')^(p is a shorthand for }xZ. {synch) prty<„(x) A prty<,„(>') A {(pVZ). Then (p„^m asserts that 
there are two runs and rg of two parity automata A and B recognizing the same word w such that the 
highest priorities visited infinitely often by and rg are respectively n and m. Since L(A) g L{B) if and 
only there is an even n and an odd m such that SPTajB |= <Pn,m> this gives us again a decision procedure for 
the language inclusion problem of parity automata when B is deterministic complete. 

Parsing of Formal Languages. A third application of is in the field of parsing for formal, namely 
context-free languages. To each finite word w, we may associate its linear LTS dJl^. For instance, for 

w = aab, SDTh, is the LTS Q i Q > Q ^ i Q • Let us now consider a context-free grammar G, 
and define a formula that describes the language of G. To ease the presentation, we assume that G 
is in Chomsky normal form, but a linear-size formula would be derivable for an arbitrary context-free 
grammar as well. The production rules of G are thus of the form either Xi^XjXk or Xi^a, for Zi , . . . ,Z„ 
the non-terminals of G. Let us pick variables x,y and z, intended to represent respectively the initial 
the final, and an intermediate position in the (sub)word currently parsed. To every non-terminal X,-, we 
associate the recursive definition: 

(Pi =n y {a)xx^y y V U^x}{-)*z{i{y^^}Vj)^i{^^^}9k)) 

where x ~ 3^ is the formula characterizing bisimilarity and {—)*(p is jlZ.fpy Vaei;(<3)z-Z. If v(x) and v{y) 
are respectively the initial and final states of 931^, then 93t^, v 1= <p, is equivalent to w being derivable in G 
starting with the symbol Xi. 

String Problems. Model Checking for can even be useful for computation (as opposed to deci- 
sion) problems. Consider for example the Longest Common Subword problem: given words wi,...,Wm 
over some alphabet E, find a longest v that is a subword of all Wj. This problem is NP-complete for 
an unbounded number of input words. Thus, we consider the problem restricted to some fixed m, and 
it is possible to define a formula (f^Q^y^ G such that model checking this formula on a suitable 
representation of the w,- essentially computes such a common subword. 

For the LTS take the disjoint union of all Mh,, for ? = 1, . . . ,m, and assume that each state in QJlw, 
is labeled with a proposition pt which makes it possible to define m-tuples of states in which the j-th 
component belongs to dJtwf Now consider the formula 

m 

"PTcsw := A Pii^') A V • • • {a)mX 

i=l a€l. 
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Note that <pj"csw unsatisfiable for any m>\. Thus, a symboUc model checking algorithm for instance 
would always return the empty set of tuples when called on this formula and any LTS. However, on 
an LTS representing wi,...,Wm as described above it consecutively computes in the j-th round of the 
fixpoint iteration, all tuples of positions hi,...,hm such that the subwords in w,- from position hj — j to hj 
are all the same for every / = 1 , . . . , m. Thus, it computes, in its penultimate round the positions inside the 
input words in which the longest common substrings end. Their starting points can easily be computed 
by maintaining a counter for the number of fixpoint iterations done in the model checking run. 

In the same way, it is possible to compute the longest common subsequence of input words wi, . . . 
A subsequence of w is obtained by deleting arbitrary symbols, whereas a subword is obtained by delet- 
ing an arbitrary prefix and suffix from w. The Longest Common Subsequence problem is equally known 
to be NP-complete for unbounded m. For any fixed m, however, the following formula can be used to 
compute all longest common subsequences of such input words using model checking technology in the 
same way as it is done in the case of the Longest Common Subword problem. 

m 

Cess := VX. A Pii^i) A V (-); ■ • ■ (-)L^ 

!=1 asE 

where (-)*VA stands for/iF.l/AV V {a)xiY- 

Games. The Cat and Mouse Game is played on a directed graph with three distinct nodes c, m and t as 
follows. Initially, the cat resides in node c, the mouse in node m. In each round, the mouse moves first. 
He can move along an edge to a successor node of the current one or stay on the current node, then the 
cat can do the same. If the cat reaches the mouse, she wins; otherwise, if the mouse reaches the target 
node t, he wins; otherwise, the mouse runs forever without being caught nor reaching the target node: in 
that case, the cat wins. The problem of solving the Cat and Mouse Game is to decide whether or not the 
mouse has a winning strategy for a given graph. 

Note that this problem is not bisimulation-invariant under the straight-forward encoding of the di- 
rected graph as an LTS with a single proposition t to mark the target node. Consider for example the 
following two, bisimilar game arenas. 

Clearly, if the cat and mouse start on the two separate leftmost nodes then the mouse can reach the target 
first. However, these nodes are bisimilar to the left node of the right graph, and if they both start on this 
one then the cat has caught the mouse immediately. 

Thus, winning strategies cannot necessarily be defined in However, it is possible to define them 
when a new atomic formula eq{x,y) expressing that x and y evaluate to the same node, is being added to 
the syntax of (standard model checking procedures can be extended to handle the equality predicate 
eq as well). 

<PCMG := HX.{t{x) A -^eq{x,y)) V {-)^{-^eq{x,y)) A [-]yX) 

We have v |= <pcMG if and only if the mouse can win from position v{x) when the cat is on position v{y) 
initially. 
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4 Conclusion 

We have considered the modal fixpoint logic for a potential use in algorithm design and given ex- 
amples of problems which can be defined in The combination of fixpoint quantifiers and modal 
operators has been proved to be very fruitful for obtaining algorithmic solutions for problems in auto- 
matic program verification. The examples boost the idea of using successful model checking technology 
in other areas too. 

The use of model checking algorithms on fixed formulas does not provide a generic recipe that 
miraculously generates efficient algorithms, but it provides the potential to do so. The next step on this 
route towards an efficient algorithm for some problem P requires partial evaluation on a model checking 
algorithm and the formula (pp defining P. This usually requires manual tweaking of the algorithm and 
is highly dependent on the actual (pp. Thus, future work on this direction would consist of consequently 
optimising model checking algorithms for certain definable problems and testing their efficiency in 
practice. 

On a different note, is an interesting fixpoint calculus for which the model checking problem 
over infinite-state transition systems has not been quite studied so far. The most prominent result in this 
area is the decidability of over pushdown LTS [ 10]. However, model checking — or even just 
Jf^ for some k>2 — seems undecidable for pushdown LTS. It is questionable whether model checking 
of is decidable for any popular class of infinite-state transition systems. 
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